SB2019112006 - Stored CSV Injection in Lenovo XClarity Controller (XCC)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019112006

SB2019112006 - Stored CSV Injection in Lenovo XClarity Controller (XCC)

Published: November 20, 2019

Security Bulletin ID SB2019112006
Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Code Injection (CVE-ID: CVE-2019-6187)

The vulnerability allows a local user to inject arbitrary code into CSV files.

The vulnerability exists due to insufficient sanitization of user-supplied data when constructing CSV files. A local administrator can store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file.

Successful exploitation of this vulnerability may allow a local administrator to execute arbitrary code and compromise of vulnerable system.


Remediation

Install update from vendor's website.

References